Multi-user data processing system with storage protection

ABSTRACT

A data processor is adapted, in particular with respect to the microcode, in such a way that the execution of standard commands of the processor which are loaded in a user memory area and request reading or writing access to the content of memory cells is inhibited. In the operating system memory area there is a memory area access table, in which there is stored the address area authorized per user memory area for the commands there. Finally, there is an additional program routine which is called up by a command loaded in a user memory area and requesting reading or writing access to a memory cell, and checks by means of the memory area access table (before execution) whether the requested access to a memory cell lies in the authorized address area. If it does not lie in the authorized address area, the additional program routine inhibits the execution of the command. The invention has the advantage that the &#34;radius of action&#34; of one or more application programs in the user program memory area can be restricted in a simple way.

FIELD OF THE INVENTION

The present invention relates to a data processing and memory accesssystem which protects a memory from unauthorized reading and writinginterventions in the memory.

BACKGROUND INFORMATION

A data processing system generally has as the main resources a processorand a memory. On the one hand, the memory can store the commandinstructions to be processed by the processor, and on the other hand,the processor can write processing results back into the memory.Usually, the memory altogether available, i.e. addressable by theprocessor, is subdivided into at least two individual areas. In thefirst area, which is referred to in the following as the operatingsystem memory area, there is entered during the manufacture of the dataprocessing system a so-called operating system coding, with which, inparticular, the hardware components of the system are managed. In thesecond area, which is referred to in the following as the user memoryarea, programs and data created by users of the data processing systemthemselves can be stored.

From the viewpoint of the processor of a data processing system, thereis in fact no distinction drawn between these two memory areas. Inparticular, it is immaterial whether, as is the case with mobile dataprocessing systems, such as, for example, processor chip cards, theentire address area of the microprocessor is physically divided into anunalterable memory (for example ROM) for the operating system and anon-volatile application memory (for example EEPROM). Utilizing theentire address area, if required, the processor accesses any memoryelement, irrespective of whether it is in the operating system memoryarea or in the user memory area. However, this has the consequence that,by means of an individual program code, i.e. user command instructionswhich have been stored by a user in a user memory area reserved for himof the mobile data processing system, both the operating system memoryarea and user memory areas assigned to other users, and the userprograms or user data installed there, can be accessed unhindered in areading and/or altering manner intentionally or coincidentally.

In EP 05 61 509 A1 there is represented a networked computer system witha multiplicity of user terminals and input and output interfaces. Thecomputer system is operated by an operating system, such as for examplea UNIX operating system instruction set. In the computer system,operating system commands intended for users for input and outputinterfaces can generally be inhibited. Monitored by the operatingsystem, they can be called up or activated by a user of the computersystem by an additional operating system command if the said user has anaccess authorization stored in a memory.

In DE 41 15 152 A1, a data-protecting microprocessor circuit forportable data media is disclosed. This circuit contains an additionalprotective circuit, decoupled from the actual microprocessor circuit,which ensures that an unknown program can access only those memory areaswhich are authorized for access. In this case, in a first embodiment,the additional protective circuit contains a first comparator withauxiliary register and a second comparator with auxiliary register. Theuser-dependent limit values for accesses to memory areas are storedeither in hard-wired logic or in safe memories and are loaded into theauxiliary registers by the actual microprocessor circuit. These limitvalues are compared by the comparators with the address register and theprogram counter of the actual microprocessor circuit. The output valuesof the comparators are logically combined by an AND gate and passed tothe control circuit of the actual microprocessor circuit. In a secondhardware variant, the additional protective circuit contains an ownback-up processor with frequency clock dividing circuit and own memoryarrangement. In the latter, the user-dependent limit values for accessesto memory areas are stored and are compared by the back-up processorwith the address register and the program counter of the actualmicroprocessor circuit.

SUMMARY OF THE INVENTION

The present invention is thus based on the object of specifying accessprotection for a portable chip card memory which operates as far aspossible without any intervention in the hardware structures of the chipcard.

The object is achieved by, first of all, the processor being adapted, inparticular with respect to the internal microcode, in such a way thatthe execution of standard commands of the processor which are loaded ina user memory area and request reading or writing access to the contentof memory cells is inhibited. In the operating system memory area thereis, furthermore, a memory area access table, in which there is storedper user memory area the authorized address area for the commands loadedin the respective user memory area. Finally, in the operating system ofthe processor there is an additional program routine which is called upby a command loaded in a user memory area and requesting reading orwriting access to a memory cell, and checks by means of the memory areaaccess table before command execution whether the access to a memorycell requested by the respective command lies in the authorized addressarea, and otherwise inhibits the execution of the command.

The invention has the advantage that the "radius of action" of one ormore application programs contained in the user program memory area canbe restricted in a simple way by software means alone to a specific areaof the memory of the data processing system, without additional hardwarecomponents being required. The address area of the memory enabled forwriting and reading accesses of commands of a user program can be storeduser-dependently in the memory area access table. Generally, theauthorized address area will coincide with the user memory area madeavailable to a user and containing an individual user program code.Consequently, a user is denied writing and reading accesses by means ofhis user program code from the user program memory area assigned to himto memory cells which lie either in the user memory area assigned toanother user or in the operating system memory area.

BRIEF DESCRIPTION OF THE DRAWINGS

The FIGURE illustrates an exemplary memory arrangement according to thepresent invention.

DETAILED DESCRIPTION

The FIGURE shows an exemplary division of the memory of a dataprocessing system, also referred to as memory layout. In this case, thememory is essentially divided into two parts. An upper, so-calledoperating system memory area, the address area of which begins at thestart address 0000h (h=hexadecimal coding), serves for receiving theoperating system code. The operating system essentially organizes thecontrolling of the microprocessor 100, the operation of any furtherresources of the data processing system there are and the accesses tothe memory. An adjoining user memory area, the address area of which inthe example represented begins at a start address 8000h (h=hexadecimalcoding), serves for receiving the application program and applicationdata codings of generally various users. This memory area isconsequently divided itself into individual subareas. In the example ofthe FIGURE, two such sub-areas are represented. One area, extending forexample from the start addresses 8000h to 8FFFh, is provided for a userA for receiving a user program code and user data code. An adjoiningarea, extending from the start addresses 9000h to 9FFFh, is provided fora second user B, likewise for receiving a user program code and userdata code. From the following start address A000h to the end of thememory, with the address FFFFh, there may adjoin sub areas assigned tofurther users.

In the example represented, consequently the user A, for example, towhom the user memory area in the address area from 8000h to 8FFFh hasbeen assigned, can, on account of a user program code installed therein,access only user data of which the code is likewise stored in cells ofwhich the address area extends from the starter address 8000h to the endaddress 8FFFh. This is ensured according to the invention by acorresponding entry in the cell of the operating system memory areadenoted by "user program A" in the memory area access table. In theexample of the FIGURE, this is represented by a permissible programbranch of the user program code A, denoted by S1, represented by a solidline and directed forwards, within the own user program memory area. Allother program branches extending from this user program memory area, forinstance a branch S5 extending into the operating system memory area ora branch S3 extending into the neighboring user program memory area ofthe user A having the range width 9000h to 9FFFh, are impermissible andare consequently not executed. These are respectively represented in theFIGURE by a dotted line.

In the same way, with the application program code installed by afurther user B in the user program memory area from 9000h to 9FFFh, itis only possible to execute reading or writing accesses to memory cellslying within the own user program memory area, for example thebackwardly directed program branch S2. An access originating from thisuser program memory area and directed at the memory area of the user A,represented in the FIGURE by a dotted line S4, are likewiseimpermissible and can be prevented according to the invention.

The adaptation of the processor 100 with respect to its internalmicrocode is advantageously performed in such a way that, before theexecution of standard commands of the processor 100 which requestreading or writing access to the content of memory cells, first of allthe current content of the program counter 110 of the processor 100belonging to the respective standard command is checked. This "points"as it were to the source address of the command currently awaitingexecution. If the situation arises in which the content of the programcounter 110 refers to the address of a memory cell lying in theoperating system memory area, the command is thus, for example, anintegral part of the operating system, the execution of the command isenabled. If this is the case, the origin of the command is consequentlynot user-dependent but system-dependent. If, on the other hand, thesituation arises in which the content of the program counter refers tothe address of a memory cell lying in the user memory area, theexecution of the command is inhibited. In this case, the source of thecommand is clearly user-dependent.

According to the present invention, the execution of such commands ismade possible in an indirect way via the program routine present in theoperating system of the processor 100. This routine is advantageouslydesigned in such a way that first of all the current content of thestack 115 of the processor 100 belonging to the respective commandrequesting reading or writing access to a memory cell is checked.Contained in this stack 115 is the return address of the command, whichlikewise reflects the "source" of the command awaiting execution. Then,the entry belonging to the content of the stack in the memory areaaccess table is compared with the access to a memory cell requested bythe respective command. If the situation arises in which the requestedaccess refers to a memory cell lying outside the authorized address areacontained in the memory area access table, the execution of the commandis inhibited, otherwise it is enabled.

A data processing system according to the present invention is suitablein particular for mobile use, since specifically in that case concurrentuse by a plurality of users is often necessary. Each user can in thiscase use the data processing system undisturbed by possible other usersand without adverse effects, possibly only unintentional, on theprograms and data of the other users. In particular, the data protectionof the users among one another is safeguarded. Unauthorized, possiblyalso unprofessional, reading and writing interventions in the operatingsystem by an application program code installed in a user program memoryarea are prevented. Particularly suited as mobile data processingsystems according to the invention are processor chip cards.

What is claimed is:
 1. A portable chip card comprising:a memory, thememory including an operating system memory area and at least one usermemory area; and a processor, the processor operating in accordance witha code so as to inhibit execution of processor standard commands whichare loaded in the at least one user memory area and which request accessto the contents of one or more memory cells, wherein: a memory areaaccess table is stored in the operating system memory area, the memoryarea access table containing, for the at least one user memory area, anauthorized address area entry for the processor standard commands loadedin the respective at least one user memory area, when a processorstandard command loaded in the at least one user memory area requestsaccess to a memory cell, an operating system program routine is called,the program routine checks the memory area access table to determinewhether the access requested by the processor standard command lieswithin the authorized address area, and the program routine inhibits theexecution of the processor standard command if the access requested doesnot lie within the authorized address area.
 2. The device of claim 1,wherein:the processor includes a memory counter, the contents of thememory counter being indicative of a memory address of a command to beexecuted, the memory counter of the processor is checked beforeexecution of a processor standard command which requests access to thecontents of one or more memory cells, if the contents of the programcounter indicate a memory address lying within the operating systemmemory area, execution of the processor standard command is enabled, andif the contents of the program counter indicate a memory address lyingwithin the at least one user memory area, execution of the processorstandard command is inhibited.
 3. The device of claim 1, wherein:theprocessor includes a stack, the contents of the stack being indicativeof a command to be executed, the operating system program routine checksthe contents of the stack before execution of a processor standardcommand which requests access to the contents of one or more memorycells, the contents of the stack thereby being indicative of therequesting processor standard command, the program routine compares theaccess requested by the requesting processor standard command to theauthorized address area entry, contained in the memory area accesstable, for the requesting processor standard command, and if the accessrequested indicates a memory cell lying outside the authorized addressarea, execution of the processor standard command is inhibited.